How SAF And TSS Are Initialized At IPL Time?

book

Article ID: 48671

calendar_today

Updated On:

Products

CA Cleanup CA Datacom - DB CA Datacom CA Datacom - AD CA Datacom - Server CA CIS CA Common Services for z/OS CA 90s Services CA Database Management Solutions for DB2 for z/OS CA Common Product Services Component CA Common Services CA Datacom/AD CA ecoMeter Server Component FOC CA Easytrieve Report Generator for Common Services CA Infocai Maintenance CA IPC Unicenter CA-JCLCheck Common Component CA Mainframe VM Product Manager CA Chorus Software Manager CA On Demand Portal CA Service Desk Manager - Unified Self Service CA PAM Client for Linux for zSeries CA Mainframe Connector for Linux on System z CA Graphical Management Interface CA Web Administrator for Top Secret CA CA- Xpertware CA Top Secret CA Top Secret - LDAP CA Top Secret - VSE

Issue/Introduction

Description:

At IPL time messages, TSS2000I, TSS2001I and CAS2031I are issued and TSS is even not started yet.

What makes those messages get issued?

Does TSS fully activate after those messages are issued?

Solution:

To answer to those questions, we need to review z/OS IPL phases briefly.

The IPL (Initial Program Load) phases are mainly:

The hardware process of loading z/OS, the HARDWARE IPL.

The loading and initialization of the nucleus, the IPL RIMs. (Resource Initialization Module)

The initialization of general system resources, the NIP RIMs. (Nucleus Initialization Phase)

Master Scheduler Initialization, the MSI initialization

JES initialization

Let's have a look at MSI in more details because it's during this phase that the z/OS security is started.

  1. Initialize MIH services

  2. Complete ASM initialization

  3. Initialize IOS dynamic pathing, create IOSAS

  4. Initialize Master's security environment

  5. Initialize Console attributes, DEL=RD etc.

  6. Initialize APPC services

  7. Initialize TSO services

  8. Initialize LOGREC Logstream recording

  9. Enable ENF services

  10. Initialize System Logger services, creates IXGLOG address space

  11. Vary all available CPs online

  12. Initialize SMF services, creates SMF address space

  13. Issue commands in IEACMD00 and COMMNDxx parmlib members

  14. Initialize RTM services

  15. Initialize System security processing

  16. Build defined subsystems

    Issue START for primary JES subsystem, if requested

  17. Hold primary JES STC and TSO processing

  18. Indicate MSI is complete

  19. Initialize Master command processing

  20. Issue command processing available message

  21. Allow pending address space creates (not done by Master) to complete

  22. Wait for JES to indicate primary services are available.

All IPL processing is now complete.

When security is started modules, ICHSEC00, ICHSEC05, ICHSCDMY are involved. All are aliases of SAFRTSEC and must reside in LPA.

Module SAFRTSEC, which:

  1. Iinitializes the SAF and issues the CAS2031 message.

  2. Calls module TSSMSIM which initializes the security for TSS and writes the TSS2000I and TSS2001I:

    TSS2000I CA TOP SECRET MSTR INITIALIZATION IN PROGRESS
    TSS2001I CA TOP SECRET MSTR INITIALIZATION COMPLETE
    CAS2031I CA SAF interface initialization complete

When all is done, TSS is ready to be started and security is fully available when TSS is up and running.

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component: